In our system, we have username as a private information. We believe that it is more secure this way. So, we created a custom profile field as public account identifier to allow transactions between customers and we do not allow customers to see other customers username.
However,and this is the bug, if a user creates an operator, the operator can see the username of other customers and it shouldn't.

Another issue that we found is that operators are not limited to see the groups that we have limited to the user (father of operator). Operators can see all users of all groups! This is another bug.
We are using Cyclos 4.11.5.

I cannot reproduce this problem. Please check if you don't have another product that are granting extra permissions to this users. You can check the final/active user permission from the product link at the view user profile (logged as admin). This way you can review the effective user permissions.

If you review and the problem persists, send a database dump to info@cyclos.org, then we can debug to check the problem.

We cannot send database, because of GDPR rules. We have this problem in productive instance of Cyclos. We cannot send personal data outside European Union.
However, we analysed the issue and we discovered the cause.

So, the problem is:
1. an operator can see profile fields of other users that it's father user (= user that created the operator) cannot see;
2. an operator can change other users addresses, if the user address is private;
3. an operator can change phone number and address of user that created the operator.

The cause of this was the user that created the operator had a user product and a broker product.
After deleting the broker product from the user that created the operator, those problems disappeared.
This user was created as a normal user and then we added a broker product (in the past this was possible). Now, that we deleted the broker product, we cannot add a broker product to that user.

So, we solved this issue to some of our customers (by simply deleting their broker product).

However, we have brokers that have operators and operators shouldn't be able to manage this data. So, it would be good to be able to specify which data an operator of a broker could manage.

The other issue that we had was the ability of users seeing more users than the user should see. That was an additional product that was with a bad configuration. It is also solved.